Sometimes security research is interesting when it doesn't provide insight into significant vulnerabilities or risks, but rather sheds light on the incredible amount of patience and creativity needed in order to better understand the inner workings of today's latest technologies.
This work can be valuable from the perspective of analyzing systems and techniques, which can enable us to stay ahead of those who are looking to leverage threats for personal gain. The goal behind our Apple Watch presentation at DEFCON is to provide a window into the mind of a researcher, showcasing the unique set of skills, determination and rationalization needed from someone in order to piece this jailbreak together from scratch. We hope that our presentation will enable DEFCON attendees to understand both platforms at a deeper level and show the interesting technological features that make the Apple Watch different than the core iOS platform.l
The Apple Watch was released in 2015, catapulting Apple into the wearables category. At this year's Worldwide Developer Conference, Apple announced that not only is the watch the #1 selling smartwatch on the market, but also announced the impending release of watchOS 4. So far, there have been two generations of the watch running on an underclocked AMRv7k 32-bit processor. Additionally, the Apple Watch runs a modified version of iOS called watchOS that has had three major software releases (1.0-3.0).
Since its release, Apple has continued to enhance the watch's design and security features, incorporating many of the security learnings from the iOS ecosystem including:
- A secure boot chain to verify the firmware and boot components' integrity
- Code signing to verify that code that is running on a device is signed by trusted party
- Application sandboxing to limit what an app can do on the device
- Secure Enclave Processor to made cryptographical operations safe
- Data protection to protect user data stored on the device
However the Apple Watch, like most smartwatches, requires that it be tethered to an iPhone in order to set up and make the watch active. Apple Watch doesn't really have the traditional sort of access that an iPhone does to install apps, or add or delete data to the device. Rather, to do all of the above on an Apple Watch a user needs to install a separate watch app on their iPhone. Once the app has been installed on an iPhone, that app (depending on how the user has configured their watch) will trigger a second watch app to be installed onto their watch from the paired iPhone. This is essentially an app within an app. All of the apps and data you see on an Apple Watch is delivered there, via the iPhone and its watch management software.
In the Apple ecosystem, in order to explore the internals and security aspects of an Apple iOS based device it's necessary to use a jailbreak. However, a jailbreak does not exist publicly for watchOS so we had to create one. We couldn't do that for a completely patched version of watchOS - we used an earlier version that had previously known and patched vulnerabilities to create a jailbreak in order to gain access. We picked a version watchOS 2 and 3 and used a series of known and patched vulnerabilities, some of which have publicly available exploit code (CVE-2016-4656, CVE-2016-4680, and CVE-2017-2370).
Over the course of multiple weeks, we chained these exploits together in conjunction with a watch app to deliver the jailbreak. This process involved constructing an exploit by dumping part of the kernel 4 characters at a time, rebooting the watch 50 times. Then we set up arbitrary memory read and write primitives and found a way to set up an SSH over bluetooth. Once the device was successfully jailbroken, an SSH session was established for a researcher to explore the internals of watchOS further. However, as previously discussed, all networks connections are routed through a proxy connection the watch establishes with the iPhone. This makes the iPhone the gatekeeper to anything that gets on and off the watch - the phone is a required attack vector to break into the watch.
After successfully achieving this jailbreak, we were able to explore the internals of the watch and learn about its general structure and its ability to access iPhone-synced data.
For more details on the mindset one must take in order to assess and execute research at this level, along with a detailed analysis on the internals of the Apple Watch, check out our talk at DEFCON 25 on Thursday, July 27 at noon.